Unidirectional communication system and method

ABSTRACT

A unidirectional communication system to allow the sending of alerts and notification to remote operators while relieving the problem of the protection of a secured network against cyberattacks when the secured network has a need to communicate information from the secured network to a public network. In practice, the solution is based on the use of a data diode (also known under the name of network diode) to allow unidirectional transmission of information from the secured network to a public network, which makes a computer attack on the secured network from the public network impossible. Further, because of a commanded data diode, no sensitive information can leak from the secured network via the system according to the invention. The transmission of the message is only done after the message to be sent has been cleaned of sensitive information and then encrypted.

TECHNICAL FIELD

The present invention relates to a system for communication from asecured network to a lower confidence network.

PRIOR ART

The ISO 22301 standard defines continuity of operation of an informationsystem in use as the capacity thereof to continue providing products ordelivering services at acceptable and previously defined levels after adisruptive incident. Also known under the acronym MOC for maintenance inoperational condition, the continuity of activity of an informationsystem in use aims to define all the methods and procedures necessary sothat the information system remains fit for the use assigned to itthroughout the time of use thereof.

In information systems characterized as critical, MOC represents asignificant operating cost because it often requires the presenceon-site of at least one maintenance technician who must be ready to actat any moment, upon detection of a disruptive incident. Thisconfiguration is especially dictated by the need for confidentiality ofthe information related to the operation of these systems.

In order to reduce the operating cost of the MOC, operators of criticalinformation systems are more and more considering the use of remotemonitoring, as is often the case for noncritical information systems. Inpractice, when a disruptive event occurs, a warning message isautomatically sent to the on-call maintenance technician, for example bySMS text message, email or voice call over fixed or cellular telephone.

However, the adoption of remote monitoring of critical informationsystems via a public network does not inspire confidence in theoperators involved. In fact, the mechanisms currently used for makingon-call calls do not guarantee sufficient security of theinterconnection between the information system and the public network,such that there are risks of computer intrusion and or loss of sensitiveinformation.

It is therefore important to propose a solution with which to resolvethese problems because such security problems can allow execution ofcomputer attacks provoking, for example, the modification of theavailability of the information system, unavailability thereof bysaturation of these resources or allow, for example, retrieval ofsensitive information from the information system.

BRIEF DESCRIPTION OF THE INVENTION

For that purpose, a first object of the invention relates to acommunication system for transmission of at least one message from afirst network of a first information system towards a second network ofa second information system, where the first network has a highersecurity classification than the second network. In practice, the systemcomprises:

a system input connectable to the first network and intended forreceiving the message, where the message comprises at least one firstmetadata related to the operation of the first information system;

a system output connectable to the second network;

an information analysis and filtering unit coupled to the system inputand intended for generating a filtered message by filtering the messagedepending on a filtering signal such that at least one sensitiveinformation related to the at least one first metadata is masked;

an information encryption unit coupled with the information analysis andfiltering unit, and intended to generate an encrypted message byencrypting the filtered message depending on an encryption signal;

a data diode circuit coupled to the information encryption unit, andcomprising a circuit input and a circuit output, where the data diodecircuit is intended to unidirectionally transfer the encrypted messagebetween the circuit input and the circuit output, and where the datadiode circuit further comprises a command input and activation means forblocking or allowing the passage of the encrypted message between thecircuit input and the circuit output depending on a command signalreceived at the command input;

a message sending unit coupled between the circuit output and the systemoutput and intended to send a call message comprising the encryptedmessage; and

a processor coupled to the information analysis and filtering unit, theinformation encryption unit and the circuit, and intended to generatethe filtering signal, the encryption signal and the command signal.

In a first embodiment, the data diode circuit further comprises a datadiode element having a transmission unit intended to send the encryptedmessage unidirectionally, where the activation means are intended to beactuatable between a first position in which the activation means arearranged so as to interrupt the supply of the transmission unit and asecond position in which the activation means are arranged so as toactivate the supply of the transmission unit.

In a second embodiment, the information analysis and filtering unit isfurther intended to generate a first operation termination signalindicating the completion of the information analysis and filtering unitoperations. Further, the information encryption unit is further intendedto generate a second operation termination signal indicating thecompletion of operations of the information encryption unit. Finally,the processor is further intended to generate the command signal inresponse to the successive generation of the first operation terminationsignal and the second operation termination signal.

In a third embodiment, the system further comprises:

a memory port coupled to the processor and intended to receive aportable memory; and

a portable memory receivable in the memory port and configured forstoring filtering data and encryption data.

In this case, the processor is further intended to configure thefiltering signal and the encryption signal, based on the filtering dataand encryption data, respectively.

According to an example of the third embodiment:

the portable memory is further configured for storing at least onecontact list comprising at least one call number for a mobile device tobe contacted, where each call number is related to at least one secondmetadata related to the operation of the first information system;

the processor is further intended to include the contact list in thefiltering signal;

the information analysis and filtering unit is further intended togenerate a relationship message relating the filtered message and atleast one call number for which the at least one second metadata matchesthe first metadata;

the information encryption unit is further intended to relate therelationship message to the encrypted message; and

the message sending unit is further intended to send the call messagedepending on the relationship message.

In this case, preferably, the message sending unit is further intendedto generate and send a periodic pulse message while waiting for a callmessage.

Advantageously, the message sending unit is further intended to destroythe call message following sending the call message.

In a specific arrangement, the message sending unit is configured forsending the call message by using a messaging protocol chosen among atleast one of the following protocols: SMS, MMS, XMPP and SMTP.

In another specific arrangement:

the information analysis and filtering unit, the information encryptionunit and the processor are included in a first enclosure;

the data diode circuit is included in a second enclosure; and

the message sending unit is included in a third enclosure.

In this case, the first enclosure, second enclosure and third enclosureare geographically distinct from each other such that no electromagneticradiation can be picked-up from one enclosure to another.

Advantageously:

the information analysis and filtering unit, the information encryptionunit, the processor and the message sending unit are included in a firstenclosure; and

the data diode circuit is included in a second enclosure.

In this case, the first enclosure and second enclosure aregeographically distinct from each other such that no electromagneticradiation can be picked-up from one enclosure to another.

Finally, a second object of the invention relates to a method fortransmission of at least one message from a first network of a firstinformation system towards a second network of a second informationsystem, where the first network has a higher security classificationthan the second network, and where the message comprises at least onefirst metadata related to the operation of the first information system.In practice, the method comprises the following steps:

generating a filtered message by filtering the message depending on afiltering signal such that at least one sensitive information related tothe at least one first metadata is masked;

generating an encrypted message by encrypting the filtered messagedepending on an encryption signal;

unidirectionally transferring the encrypted message from the securednetwork to the unsecured network depending on a command signal, onlywhen the filtering and encryption have been done.

BRIEF DESCRIPTION OF THE DRAWINGS

The characteristics and advantages of the invention will be betterunderstood upon reading the following description and referring to theattached drawings, given for illustration and in no way limiting.

FIG. 1 shows an example embodiment of the system according to theinvention.

FIG. 2 shows an embodiment of the data diode circuit according to theinvention.

FIG. 3 shows a process diagram of a method according to the invention.

DESCRIPTION OF THE EMBODIMENTS

In the context of this description, information system is understood tomean all of the material means, software means, databases andcommunication networks that can be arranged for providing products ordelivering services in a domain referred to as critical.

Further, critical domain is understood to mean the information systemsfor which a failure could have dramatic consequences, like death,serious injury, major material or economic losses, or seriousconsequences for the environment. Thus, this definition covers, forexamples, transportation information systems (for example for pilotingan aircraft, train, car or boat), energy information systems (forexample for control of a nuclear power plant), health informationsystems (for example a medical device) or also for telecommunicationinformation systems (for example a ground communication system for asatellite communication system). Just the same, any information systemmeeting the above definition is also considered in this description.

In the description, disruptive incident is also understood to mean allof the events connected with the operating state of an informationsystem such as: the failure of a storage component, failure of supply toa motor of a device, drop of control voltage of a machine, drop of thepower (e.g. hydraulic, electrical, etc.) received by a machine, andmechanical failure. Note however that the invention does not cover thedetection and diagnosis of a disruptive incident. In the remainder ofthe description, it will be considered that an incident involving aninformation system was detected and diagnosed as being disruptive. Thedisruptive incident is next included in a message to be sent to amaintenance technician or a technical expert.

In the invention, a solution is proposed to the problem of theprotection of a secured network against cyberattacks when the securednetwork has a need to communicate information from the secured networkto a public network, for example by sending alerts and notifications toremote operators. In practice, the solution is based on the use of adata diode (also known under the name of network diode) to allowunidirectional transmission of information from the secured network to apublic network. This has the effect of making a computer attack on thesecured network from the public network impossible. Thus, this layoutguarantees the physical separation between the secured network and thepublic network.

FIG. 1 shows a system 300 according to the invention. In the examplefrom FIG. 1, the system 300 is placed between the secured network 100and an unsecured network 200. The secured network 100 is associated witha first information system whereas the unsecured network 200 isassociated with a second information system different from the firstinformation system. In general, the secured network 100 is considered asmore secure than the unsecured network 200, because it has a highersecurity classification than that the unsecured network 200.

Structurally, the system 300 has a system input 301 and a system output302. Further, the system 300 comprises an information analysis andfiltering unit 310, an information encryption unit 320, a data diodecircuit 330, a message sending unit 340 and a processor 350.

In the example from FIG. 1, the system input 301 is configured for beingconnected to the secured network 100 whereas the system output 302 isconfigured for being connected to the unsecured network 200. When thesystem 300 is in operation, the system input 301 is intended to receivea message comprising at least one metadata related to the operation ofthe first information system.

Message is understood to mean a set of digital signals placed in apredetermined format. For example, the message received at the systeminput 301 can be a text message according to the RFC-5424 standard orany other standard whether standardized or not. The message can comprisemessage identification elements, message generation time and date stamp,message source identification or even identification of the event havingled to the generation of the message. However, other elements can beadded to the message to be sent.

Here, metadata is understood to mean any information descriptive of theoperation of the first information system. For example, in thetransportation domain, it can involve data about failure of a storagecomponent, the state of health of the engines or even the temperature ofa part or component.

Returning to FIG. 1, the information analysis and filtering unit 310 iscoupled to the system input 301. In operation, the information analysisand filtering unit 310 is configured for generating a filtered messageby filtering the received message depending on a filtering signal. Thefiltering signal contains all the information allowing the informationanalysis and filtering unit 310 to determine the extent of theinformation to be filtered. In practice, the information analysis andfiltering unit 310 filters the metadata from the message received fromthe system input 301 such that at least one item of sensitiveinformation related to the metadata is masked. The effect of this is toprevent the leakage of sensitive information from the secured network100.

Sensitive information is understood to mean information or knowledgeobtained directly or indirectly that, if it were revealed to the public,would be harmful to the information system which it is about. In otherwords, it involves an item of information whose disclosure, misuse,modification or unauthorized access could unfavorably affect thesecurity of the information system involved. For example, it couldinvolve information related to the identification of the computerservers of the information system such as the IP addresses, server namesor even the size of the computer servers. In fact, such information can,for example, provide information about the attack or defense capacitiesof the information system. In this case, if the sensitive informationfalls into the wrong hands, it could unfavorably affect the security ofan organization.

In a first specific embodiment of the information analysis and filteringunit 310, the masking is done by removing sensitive information from themetadata. For example, the IP address of the server having experienced adisruptive incident can be removed from the metadata.

In a second embodiment of the information analysis and filtering unit310, the masking is done by replacing sensitive information in themetadata with one or more items of non-sensitive information. Forexample, the name of the server having experienced a disruptive incidentcan be replaced with another name or an abbreviation different from thetrue server name. In this case, the one or more replacement words mustbe known to the operator who will receive the message. Anotherpossibility of the same order can consist of replacing the sensitiveinformation by a decoy for encoding sensitive information.

In a third embodiment of the information analysis and filtering unit310, the masking is done by a combination of removing and replacingsensitive information. Thus, if metadata comprises the IP address andname of the server having experienced a disruptive incident, thesolutions from the first embodiment and second embodiment can be usedtogether. For example, the IP address can be replaced by an abbreviationand the server name can be removed from the metadata.

Still in FIG. 1, the information encryption unit 320 is coupled to theinformation analysis and filtering unit 310. In operation, theinformation encryption unit 320 is configured for generating anencrypted message by encrypting the filtered message depending on anencryption signal. The encryption signal contains all the informationallowing the information encryption unit 320 to encrypt the filteredinformation. In practice, the encryption can be done using anyencryption means known to the person skilled in the art, in particularby using a symmetric or asymmetric algorithm. The effect of this is toprevent interception of notification messages issued from the securednetwork 100.

Again, in FIG. 1, the data diode circuit 330 is coupled to theinformation encryption unit 320. The data diode circuit 330 comprises acircuit input 331, a circuit output 332 and a data diode element 333. Inoperation, the data diode element 333 is configured for unidirectionallytransferring the encrypted message between the circuit input 331 and thecircuit output 332. In fact, the data diode element 333, which is alsoknown under the name of network diode, is a system which allowsinterconnecting two computer networks by allowing data transfer in onlyone direction. This type of system is generally used for connecting anetwork requiring a high security level to a lesser confidence network(for example the Internet). In this case, only the passing on ofinformation from the lower confidence network is authorized in order toguarantee the confidentiality of the secured network by avoiding leaksof sensitive information. However, in the context of the invention, theuse of the data diode element 333 in the opposite direction is intendedsuch that only passing on of information from the secured network ispossible. This has the effect of making it impossible to implementcomputer attacks from outside the secured network, because there is onlya route for communication from the secured network to the lesserconfidence network and not in the other direction.

Further, in FIG. 1, the data diode circuit 330 comprises a command input335 and activation means 334 for blocking or allowing passage of theencrypted message between the circuit input 331 and the circuit output332 depending on a command signal received at the command input 335. Theactivation means 334 are intended to be actuatable between a firstposition in which the activation means 334 block the passage of theencrypted message, and a second position in which the activation means334 allow the passage of the information. Finally, the activation means334 are normally actuated in the first position.

FIG. 2 shows a specific embodiment of the data diode circuit 330according to the invention. In the example from FIG. 2, the data diodeelement 333 from the data diode circuit 330 comprises a transmissionelement TX and a receiving element RX, both provided in combination forunidirectional transmission of the encrypted message between thetransmission element TX and the receiving element RX. In an example, thedata diode element 333 is implemented on the basis of an optical fibercomprising only a single strand. In this case, the transmission elementTX can be a light source intended for emitting a light flow in theoptical fiber and the receiving element RX can be a photoreceptorintended for receiving the light flow. However other unidirectionalnetwork link implementations can also be used with the invention. Forexample, use of a partial RS-232 serial link or even a partial RJ-45ethernet link with corresponding transmitting and receiving elements isconceivable.

In a specific embodiment from FIG. 2, the means of activation 334 areactuated in a first position by commanding the interruption of thesupply to the transmission element TX whereas the activation means 334are actuated in the second position by commanding the activation of thesupply to the transmission element TX. To do that, the activation means334 can be directly connected to the supply for the transmission elementTX.

Returning to FIG. 1, the message sending unit 340 is coupled between thecircuit output 332 and the system output 302. In operation, the messagesending unit 340 is configured for sending a call message comprising theencrypted message. In a specific embodiment, the message sending unit340 is configured for sending the call message by using a messagingprotocol chosen among at least one of the following protocols: SMS,email, MMS, XMPP, etc. Also, for better security, no copy of the messagesent is retained in the system 300.

In a specific embodiment, the message sending unit 340 is furtherintended to destroy the call message following sending the call message.

In an example of the previous embodiment, the message sending unit 340is intended to receive an acknowledgment message in response to sendingthe call message and to destroy the call message in response to themessage acknowledging reception.

In another specific embodiment, the message sending unit 340 is furtherintended to generate and send a periodic pulse message (i.e. “heartbeat”or “keep alive” message) while waiting for a call message. The pulsemessage is intended to indicate to the recipient of the message that thesystem 300 is still running. In other words, the periodic pulse messageindicates to the message recipient that the system 300 continues to beactive. In an example, the period for generating and sending the pulsemessage can be set at every minute, every half hour or every hour. In aspecific embodiment, the periodic pulse message is encrypted andarranged such that it is not possible to intercept and thus be able tosimulate the presence of the system 300 by replaying a transmissionsequence of the already used periodic pulse message.

Finally, in FIG. 1, the processor 350 is coupled to the informationanalysis and filtering unit 310, the information encryption unit 320 andthe data diode circuit 330. In operation, the processor 350 isconfigured for generating the filtering signal, encryption signal andcommand signal.

In a first embodiment of the processor 350, all of the information withwhich to configure the filtering signal, encryption signal and commandsignal are included in a memory of the processor 350. In this case, theprocessor 350 is what orders the generation of the filtering, encryptionand command signals. In the context of this specific embodiment, it isunderstood that the filtering signal is generated before the encryptionsignal so as to generate the command signal actuating the activationmeans 334 in the second position only when the masking and filteringoperations have been done. For example, the processor 350 can generatethe encryption signal, on the one hand, and the command signal on theother, after a set time delay following generation of the filteringsignal, on the one hand, and the encryption signal on the other. In thisway, it can be guaranteed that the information sent was previouslyfiltered of all sensitive information and encrypted.

In a second implementation of the processor 350, the generation of thecommand signal is conditional on the execution of the operations of theinformation analysis and filtering unit 310 and then of the informationencryption unit 320. In practice, the information analysis and filteringunit 310 is further intended to generate a first operation terminationsignal indicating the completion of the information analysis andfiltering unit 310 operations. It is the same for the informationencryption unit 320 which is further intended to generate a secondoperation termination signal indicating the completion of operations ofthe information encryption unit 320. Finally, the processor 350 isfurther intended to generate the command signal in response to thegeneration of the first operation termination signal and the secondoperation termination signal. In the context of this specificembodiment, it is understood that the first operation termination signalis generated before the second operation termination signal so as togenerate the command signal actuating the activation means 334 in thesecond position only when the masking and filtering operations have beendone. In this way, it can be guaranteed that the information sent waspreviously filtered of all sensitive information and encrypted.

In another specific embodiment of the system 300, a memory port andportable memory are incorporated. In this embodiment, the memory port iscoupled to the processor 350 and configured for receiving the portablememory. Further, the portable memory is configured for storing filteringdata and encryption data. Finally, the processor 350 is suited forconfiguring, respectively, the filtering signal and the encryptionsignal based on filtering data and encryption data. Thus, in thisspecific embodiment, the data with which to configure the filteringsignal and the encryption signal are obtained from the portable memory.This offers the owners of the secured information system 100 thepossibility of determining the way in which the filtering and encryptionmust be done.

In an example of this specific implementation of the system 300, theportable memory can also be configured for storing command data usableby the processor 350 for configuring the command signal.

In an example of the preceding implementation, the portable memory isfurther configured for storing at least one contact list comprising atleast one call number for a mobile or fixed device to contact. In thisexample, each call number is related to at least one second metadataabout operation of the secure network 100. Further, the processor 350 isalso intended to include the contact list in the filtering signal.Additionally, the information analysis and filtering unit 310 is alsoconfigured to generate a relationship message relating the filteredmessage and at least one call number for which the second metadatamatches the first metadata. The effect of this layout is to allow thenotification of the occurrence of an incident to the one or several mostappropriate technicians for resolving the incident.

It will be said that the first metadata and second metadata match whenthey both comprise information about the same incident disrupting thesecured network 100. For example, if the first metadata comprisesinformation indicating that a failure of a storage component hasoccurred, then a second metadata which matches the first metadata alsocomprises information about the failure of a storage component. Inpractice, since each call number is related to a technician specializedin one or more disruptive incidents of the secured network 100, then theobjective of matching according to the invention is to limit the calllist to only numbers related to technicians specialized in thedisruptive incident which occurred.

In a specific embodiment, setting up a match table with which to relatea technical specialty to a disruptive incident can be considered. Forexample, all failures of the first information system which are linkedto mechanics can be matched with the technical specialty of a mechanic.Thus, because of the matching table and the contact list, theinformation analysis and filtering unit 310 can determine the one ormore pertinent call numbers which are related to the occurrence of aspecific disruptive incident by matching the disruptive incident to aspecific technical specialty. In practice, storing the match table in amemory of the information analysis and filtering unit 310 or even in theprocessor 350 can be considered.

In another example from the previous embodiment, outsourcing thefunctionality with which to determine the one or more relevant callnumbers which are related to the occurrence of a specific disruptiveincident to a distinct unit from the information analysis and filteringunit 310 can be considered. For example, a routing unit coupled to theanalysis unit can be used. In this case, the routing unit can comprise amemory and also a processor. The memory can also comprise the contactlist and the match table, both mentioned above. In a specific example,the information analysis and filtering unit 310 is configured forproviding the routing unit the second metadata about the operation ofthe secured network 100. Subsequently, the routing unit is configuredfor determining at least one call number for which the second metadatamatches the first metadata and returning it to the information analysisand filtering unit 310. Further, the routing unit is also configured fordetermining the one or more pertinent call numbers which are related tothe occurrence of a specific disruptive incident by matching thedisruptive incident to a specific technical specialty and returning itto the information analysis and filtering unit 310.

Subsequently, the information encryption unit 320 is also configured torelate the relationship message to the encrypted message. Finally, themessage sending unit 340 is also configured to send the call messagedepending on the relationship message. In another example of thisembodiment, including the contact list in a memory of the processor 350can be considered.

In an embodiment of the invention, physically laying out the variouselements of the system 300 according to several arrangements can beconsidered.

For example, in a first arrangement, the information analysis andfiltering unit 310, the information encryption unit 320 and theprocessor 350 are gathered in a first enclosure. Next, the data diodecircuit is included in a second enclosure distinct from the firstenclosure. Finally, the message sending unit 340 is positioned in athird enclosure distinct from the first enclosure and second enclosure.In this arrangement, the first enclosure, second enclosure and thirdenclosure can be geographically distinct from each other such that noelectromagnetic radiation can be picked-up from one enclosure toanother.

In a second arrangement, the information analysis and filtering unit310, the information encryption unit 320, the processor 350 and themessage sending unit 340 are gathered in a first enclosure. Next, thedata diode circuit 330 is positioned in a second enclosure distinct fromthe first enclosure. In this arrangement, the first enclosure and secondenclosure are geographically distinct from each other such that noelectromagnetic radiation can be picked-up from one enclosure toanother.

In the description, it was considered that the information sent from thesecured network 100 to the unsecured network 200 were linked to amalfunction of the first information system. The effect of this was toallow setting up remote on-call corrective maintenance of the firstinformation system through a public network. However, because of theinvention, some information which is not necessarily connected with themalfunction of the first information system can also be sent outside ofthe system. In this case, the information analysis and filtering unit310 should be configured to allow the corresponding information to pass.The effect of this will be to allow setting up remote supervision of thefirst information system.

The invention also relates to a sender (not shown) for a wired orwireless type communication system comprising the system 300 such asdescribed above. With such a sender, an encrypted unidirectionalcommunication can be established through any communication network andin particular through a public network.

The invention also relates to a method 400 for sending at least onefirst metadata from the secured network 100 towards the unsecurednetwork 200 according to the technical aspects described above. In FIG.3, the method 400 comprises the following steps consisting of:

generating a filtered message 410 by filtering the first metadatadepending on the filtering signal such as described above, such that atleast one sensitive information related to the first metadata is masked;

generating an encrypted message 420 by encrypting the filtered messagedepending on the encryption signal such as described above;

unidirectionally transferring 430 the encrypted message from the securednetwork 100 to the unsecured network 200, conditionally, by commandingthe passage of the encrypted message depending on the command signalsuch as described above.

The invention described provides a solution to the problem of theprotection of a secured network against cyberattacks when the securednetwork has a need to communicate information from the secured networkto a public network. In fact, overall, the system according to theinvention is difficult to be compromised by a cyberattack. Morespecifically, only the message sending unit could be compromised ordamaged by such an attack. However, since this unit is positioneddownstream from the physical security limit of the system (meaning afterthe data diode circuit), loss thereof then has no impact on the overallsecurity of the secured network. Thus, the addition of a systemaccording to the invention to an existing information system does notprovide an opportunity for implementing a cyberattack against thenetwork of this information system. Further, because of the use of thecommanded data diode circuit, it is also guaranteed that no sensitiveinformation could leak from the secured network via the system accordingto the invention. The concept of “data thyristor” can also be used. Infact, since the thyristor allows unidirectional conduction of thecurrent because of the command of a latch, the “data thyristor” allowsunidirectional transmission a message after the message to be sent hasbeen cleaned of sensitive information and then encrypted. In this case,the message takes the place of the current, whereas the confirmationinformation from the cleaning and encryption of the message servicelatch for the thyristor.

1. A communication system for transmission of at least one message froma first network of a first information system towards a second networkof a second information system, where the first network has a highersecurity classification than the second network, the communicationsystem comprising: a system input connectable to the first network andconfigured to receive the at least one message, where the at least onemessage comprises at least one first metadata related to the operationof the first information system; a system output connectable to thesecond network; an information analysis and filtering unit coupled tothe system input and configured to generate a filtered message byfiltering the at least one message depending on a filtering signal suchthat at least one sensitive information related to the at least onefirst metadata is masked; an information encryption unit coupled withthe information analysis and filtering unit, and configured to generatean encrypted message by encrypting the filtered message depending on anencryption signal; a data diode circuit coupled to the informationencryption unit, and comprising a circuit input and a circuit output,where the data diode circuit is configured to unidirectionally transferthe encrypted message between the circuit input and the circuit output,and where the data diode circuit further comprises a command input andactivation unit configured to block or allow passage of the encryptedmessage between the circuit input and the circuit output depending on acommand signal received at the command input; a message sending unitcoupled between the circuit output and the system output, and configuredto send a call message comprising the encrypted message; and a processorcoupled to the information analysis and filtering unit, the informationencryption unit and the circuit, and configured to generate thefiltering signal, the encryption signal and the command signal.
 2. Thesystem according to claim 1 wherein, the data diode circuit furthercomprises a data diode element having a transmission unit configured tosend the encrypted message unidirectionally, where the activation unitis configured to be actuatable between a first position in which theactivation unit is arranged to interrupt a supply of the transmissionunit and a second position in which the activation unit is arranged toactivate the supply of the transmission unit.
 3. The system according toclaim 1, wherein: the information analysis and filtering unit is furtherconfigured to generate a first operation termination signal indicatingthe completion of the information analysis and filtering unitoperations; the information encryption unit is further configured togenerate a second operation termination signal indicating the completionof operations of the information encryption unit; and the processor isfurther configured to generate the command signal in response to thesuccessive generation of the first operation termination signal and thesecond operation termination signal.
 4. The system according to claim 1,further comprising: a memory port coupled to the processor andconfigured to receive a portable memory; and a portable memoryreceivable in the memory port and configured for storing filtering dataand encryption data; wherein, the processor configured the filteringsignal and the encryption signal, based on the filtering data andencryption data, respectively.
 5. The system according to claim 4,wherein: the portable memory is further configured to store at least onecontact list comprising at least one call number for a mobile device tobe contacted, where each call number is related to at least one secondmetadata related to the operation of the first information system; theprocessor is further configured to include the contact list in thefiltering signal; the information analysis and filtering unit is furtherconfigured to generate a relationship message relating the filteredmessage and at least one call number for which the at least one secondmetadata matches the first metadata; the information encryption unit isfurther configured to relate the relationship message to the encryptedmessage; and the message sending unit is further configured to send thecall message depending on the relationship message.
 6. The systemaccording to claim 5 wherein the message sending unit is furtherconfigured to generate and send a periodic pulse message while waitingfor a call message.
 7. The system according to claim 1, wherein themessage sending unit is further configured to destroy the call messagefollowing sending the call message.
 8. The system according to claim 1,wherein the message sending unit is configured for sending the callmessage by using a messaging protocol chosen among at least one of thefollowing protocols: SMS, MMS, XMPP and SMTP.
 9. The system according toclaim 1, wherein: the information analysis and filtering unit, theinformation encryption unit and the processor are included in a firstenclosure; the data diode circuit is included in a second enclosure; andthe message sending unit is included in a third enclosure; wherein thefirst enclosure, second enclosure and third enclosure are geographicallydistinct from each other such that no electromagnetic radiation can bepicked-up from one enclosure to another.
 10. The system according toclaim 1, wherein: the information analysis and filtering unit, theinformation encryption unit, the processor and the message sending unitare included in a first enclosure; and the data diode circuit isincluded in a second enclosure; wherein, the first enclosure and secondenclosure are geographically distinct from each other such that noelectromagnetic radiation is picked-up from the first enclosure to thesecond enclosure.
 11. A method for transmission of at least one messagefrom a first network of a first information system towards a secondnetwork of a second information system, where the first network has ahigher security classification than the second network, and where the atleast one message comprises at least one first metadata related to theoperation of the first information system, the method comprising thefollowing steps: generating filtered message by filtering the messagedepending on a filtering signal such that at least one sensitiveinformation related to the at least one first metadata is masked;generating an encrypted message by encrypting the filtered messagedepending on an encryption signal; unidirectionally transferring, by adata diode circuit, the encrypted message from the secured network tothe unsecured network depending on a command signal, only when thefiltering and encryption have been done.